The nmap man page is a must read in order to understand the tool and it's various possibilities.

NMAP MAN PAGE:
#man nmap

NMAP HELP:
#nmap -h

NMAP CONFIGURATION FILES:
#cd /usr/share/nmap

In the configuration directory there are files such as nmap-services which when read includes a list of port names, number of transport protocols and even a field which lists the probability of this port being open. Often there is also a comment describing the service usually found on this port.

NMAP - ACTIVE INFORMATION GATHERING: Traffic Accountability

Lets understand the volume of traffic generated by a simple tcp scan, scanning top 1000 ports.

Below is a script using iptables to monitor the traffic sent to a specific host: iptables-counters.sh

this reveals around 46 KB sent for 1000 ports to be scanned. In order to scan all tcp ports this would be around 3MB or more. 254 computers would generate around 1GB of traffic.

NMAP ACTIVE INFORMATION GATHERING: Network Sweeping

To quickly find machines on the network without sending large amounts of traffic over the network, network sweeping is used. We will look at using nmap to perform a similar task to the earlier ping sweepwe.

#nmap -sn 10.11.1.250-254

The output is a bit hard to understand. Nmap provides several output formats tosave files to disc for later examination.

The scan below will run a scan of the most common 20 ports as noted by nmap and put this in greppable output.
#nmap -sT --top-ports 20 10.11.1.200-254 -oG top-port-sweep.txt

Machines that appear to be rich in open ports would then be more extensively scanned.

NMAP - ACTIVE INFORMATION GATHERING: Nmap OS and Banner Discovery
Extracting more than just TCP and UDP port states with namp such as Operating System and port banners.

-sV for banner grabbing
-O for OS fingerprinting
-A which includes both checks and some protocol specific checks

#nmap -A 10.11.1.13
This scan shows a lot of output. Open tcp ports, banners, and OS fingerprinting guesses.
The earlier scan output 46KB. The scan using -A output around 100KB. More than double the amount of network traffic.

NMAP also includes several SMB scripts which can run a variety of SMB protocol checks.

To list these scripts, we can list the nse scripts directory and then grep for SMB.
************************************
# ls -l /usr/share/nmap/scripts |grep smb
************************************

In order to use the smb-enum-users script: This will try to enumerate user names via a null sessions on a given machine as part of the nmap scan.
eg:
#nmap -p 139,445 --script smb-enum-users 192.168.31.206

************************************
Another useful NMAP SMB script is the nse-check-vulns script which checks for the existence of several SMB vulnerabilities.
Eg:
#nmap -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 192.168.31.229

I have created a list of all IPs that appear to exist called IPs.txt Below I use this txt file list to search all machines for SMB vulnerabilities.
#nmap -p 139,445 --script=smb-vuln* --script-args=unsafe=1 -iL IPs.txt
************************************

SMB ports are not usually exposed to the internet as they are known to be vulnerable. Many ISPs even filter out this traffic, as a result you are more likely to find these vulnerabilities in internal network environments. Finding an SMB port exposed to the internet will be either a security oversight or a lack of proper port filtering on their side.

Example 4: run all scripts against a target - thus scanning for multiple vulnerabilities at once. This is INTENSE! Depending on a number of factors including bandwidth speed, a single IP scan like this may take over an hour to complete.
#nmap -v -p 80 --script all 192.168.31.210
**************************